Heartland data breach hit 160 banks (and rising) More than 160 banks have been affected by the information security breach at US payment processor Heartland Security. Heartland admitted that on 20 January, while US attention was on the Obama presidential inauguration, that a breach in its processing systems last year led to the disclosure of an unspecified number of customer …
Retailers are at the mercy of credit card transaction processing companies. I work in IT at a large retailer and the credit processing company has installed software that handles and transmits the card and customer information to its servers. We are not allowed to look at the source code running on our servers. We (have to) trust the company but what about the programmers they used? Was code contracted out to third world or eastern European shops? There should be laws in place that ensure data breaches like this result in criminal prosecution of the executives in charge. Maybe then someone at these credit card data processing firms will take security seriously.
It could have been far worse, it could have been intellectual property that would have destroyed competative advantage of a company. Data owners need to feel assured that Data Custodians at IT can provide adequate security to mitigate such risks. There is an element of negligence and certainly shows lack of due care. Technologies exist and we have implemented several of these that would have prevented classified information such as credit card data from leaving the enterprise in an unauthorized manner. There is regulatory compliance in place to protect credit card information with the PCI DSS however applying it to ensure compliance is another matter. Why did the IT department not look at a data leakage prevention solutions? Did the Data Custodians know the business impact of such an act? Will business be able to recover from brand damage and lack of confidence in a worst recession in years?
If you were to apply a standard fine, say £1500 per customer record lost - payable to the customer, the problem would disappear in a second. Its only because there are no repercussions for the data-loser that we see data losses.
If it was a matter of business survival, the game would soon change.
@Mike - I seem to recall that they setup a helpline at the time, maybe it's still there, did you ask them? Also, it was a stolen server...
@AC 1401 - I don't really think that standard fines are the way forward, I can't imagine that you'd ever see a standard fine for a victim of a phscial theft. It all depends upon wheather the custodian of the data has been wreckless with the customer's data of if the thief has been particularly skilled in their theft. Also, a pretty good warning for companies is the something like 90% of companies that fail in a year after a major data loss.
@TW Burger - Why should the payments comany show you their sorce code? What difference does it make? Also what difference does it make where the code is written? Also, again, if the management of a company have taken sensible steps to protect data and then have had it stolen from them by a skilled theif, why should they be prosecuted? You just can't have mandatory punishments for people who are easily argued to be one of the victims of the crime.
"Heartland admitted that on 20 January, while US attention was on the Obama presidential inauguration, that a breach in its processing systems last year led to the disclosure of an unspecified number of customer records."
That's why.
I had to read that sentence several times before I figured out what the problem was.
Heartland wasn't breached on Jan 20 at all, they were breached the previous year.
What that sentence should say is 'Heartland admitted on 20 January, while US attention was on the Obama presidential inauguration, that a breach in its processing systems last year led to the disclosure of an unspecified number of customer records. "
The superfluous "that" in there gives the whole paragraph a different and totally erroneous meaning.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
